Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-5578

EC2 Instance Metadata Service (IMDS) version configurability

XMLWordPrintable

    • None
    • Product / Portfolio Work
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      1. Proposed title of this feature request

      EC2 Instance Metadata Service (IMDS) version configurability on HCP node pools. 

      Today, when instances are run, hypershift or CAPI for AWS explicitly sets the IMDS v2 metadata options. This configuration makes imdsv2-optional. AWS is moving to imdsv2-required and also beginning to default in different clients. I've an idea: can we stop setting IMDS metadata options when running instance so that customers (or AWS) can handle this at their cloud level? AWS has introduced a way[1]  to define IMDS defaults at account+region level which will be in effect when no IMDS configuration is done while running instance. As this changes the defaults - we can plan this along with y-version so customers ACK?

      1. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-IMDS-new-instances.html#set-imdsv2-account-defaults

      2. What is the nature and description of the request?

      HCP creates EC2 instances as part of nodepools. The EC2 instances created by default allow AWS EC2 IMDS v1 and v2. There is no ability to enforce EC2 instances to use only IMDSv2 which requires applications running on OpenShift use short-lived tokens. 

      3. Why does the customer need this? (List the business requirements here)

      IMDSv2 is more secure than IMDSv1 because of requirement to use short lived tokens when accessing IMDS endpoint from the instance or an application pod running on the instance. 

      Customers could override directly in the EC2 but will that work when new nodes are created through autoscaling or auto-healing. 

      Enterprise environments have IAM or SCP policy that requires instances be created only with IMDSv2. In such environments, it is not possible to create HCP clusters. 

      Stand-alone OCP has this and HCP is OCP. 

      4. List any affected packages or components.

      HyperShift, OVN

              azaalouk Adel Zaalouk
              rh-ee-bchandra Balachandran Chandrasekaran
              None
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                None
                None